Threat Actor Targets Libyans with Malware via Facebook

A threat group has been targeting mobile and desktop users in Libya with malware through Facebook pages, Check Point has discovered.

The campaign, which the cybersecurity firm has dubbed Operation Tripoli, has been abusing the social network for years to host fraudulent pages and also compromised legitimate websites to host malware and spread it to “tens of thousands of victims mainly from Libya, but also in Europe, the United States and Canada.”

One of the pages was impersonating Khalifa Haftar, the commander of Libya’s National Army and a prominent figure in Libya’s political arena. Since its creation in April 2019, the page gathered over 11,000 followers.

In addition to posts with political themes, the page also shares URLs to download files that the attacker claims to be leaks from Libya’s intelligence units. Some of the links supposedly lead to mobile apps that allow citizens to join the Libyan armed forces.

Instead of the promised content, however, users following these links are taken to malicious VBE or WSF files for Windows environments, and APK files for Android, to infect them with known remote administration tools (RATs) such as Houdini, Remcos, and SpyNote.

The malicious samples would usually be stored in file hosting services such as Google Drive, Dropbox, Box and more, but compromised websites were also used to host the malware, including a Russian website, an Israeli website, and a Moroccan news website. The attacker also compromised the site of Libyana, a large mobile operator in Libya, and hosted a malware-packed archive on it back in 2014.

By following the username in the Facebook page’s web address (@kalifhafatr, which misspells Haftar’s name), and grammatical mistakes found in almost every post, Check Point’s security researchers were able to identify a network of over 30 Facebook pages operated by the same threat actor as part of a widespread operation ongoing since at least 2014.

Some of these Facebook pages were highly popular, with more than 100K users, the researchers reveal. All of them have been already taken down.

Over the years, the actor has used more than 40 unique malicious links, some of which were spread via more than one page. The majority of the URLs had thousands of clicks, mostly around the time they were created and shared.

The pages would publish updates about the most recent events in Libya, in an attempt to engage their followers and not arouse suspicion. The posts were copied across multiple pages on the same day.

Despite the use of political themes related to Libya, however, the actor does not appear to favor one political party over another, the security researchers say. The content mainly warns against external or internal threats.

The applications and VBE scripts used in this campaign communicated with the same command and control (C&C) server, at drpc.duckdns[.]org. This led the researchers to finding a Facebook account that belongs to the attacker, who appears to be Libyan.

“This account repeated the same typos that we have observed in the involved pages, enabling us to assess with high confidence that this is the same person that wrote the posts’ content. The account also openly shared almost every aspect of this malicious activity, including screenshots from the panels where the victims were managed,” the researchers say.

The attacker shared sensitive information stolen from the victims, such as secret documents belonging to Libya’s government, e-mails, phone numbers belonging to officials, and pictures of the officials’ passports.

Check Point was able to observe the evolution of the attacker from the early days and noticed that they don’t use an advanced set of tools. However, the use of tailored content, legitimate websites, and highly active pages allowed them to potentially infect thousands.

“Although the attacker does not endorse a political party or any of the conflicting sides in Libya, their actions do seem to be motivated by political events. This can be implied from the participation in operations like OpSyria years ago, as well as the willingness to expose secret documents and personal information stolen from the Libyan government. This is juxtaposed with the constant targeting of Libyan victims but might mean that the attacker is after certain individuals within the larger crowd,” Check Point concludes.